[jira] [Commented] (SCM-763) Password masking on linux does not work
[
https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16422743#comment-16422743
]
Michael Osipov commented on SCM-763:
The following has been tried in Konsole on Fedora 27:
{noformat}
mosipov@localhost SCM-763]$ mvn scm:list -Dpassword=toll
[INFO] Scanning for projects...
[INFO]
[INFO] < net.sf.michael-o.dirctxsrc:dircontextsource >-
[INFO] Building dircontextsource 2.1.1-SNAPSHOT
[INFO] [ jar ]-
[INFO]
[INFO] --- maven-scm-plugin:1.9.6-SNAPSHOT:list (default-cli) @
dircontextsource ---
[INFO] Executing: /bin/sh -c cd /tmp && svn --password '*' --no-auth-cache
--non-interactive list --recursive
file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2/.
[ERROR] Provider message:
[ERROR] The svn command failed.
[ERROR] Command output:
[ERROR] svn: E170013: Unable to connect to a repository at URL
'file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2'
svn: E180001: Unable to open repository
'file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2'{noformat}
as well as with space
{noformat}
mosipov@localhost SCM-763]$ mvn scm:list -Dpassword=toll
[INFO] Scanning for projects...
[INFO]
[INFO] < net.sf.michael-o.dirctxsrc:dircontextsource >-
[INFO] Building dircontextsource 2.1.1-SNAPSHOT
[INFO] [ jar ]-
[INFO]
[INFO] --- maven-scm-plugin:1.9.6-SNAPSHOT:list (default-cli) @
dircontextsource ---
[INFO] Executing: /bin/sh -c cd /tmp && svn --password '*' --no-auth-cache
--non-interactive list --recursive
file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2/.
[ERROR] Provider message:
[ERROR] The svn command failed.
[ERROR] Command output:
[ERROR] svn: E170013: Unable to connect to a repository at URL
'file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2'
svn: E180001: Unable to open repository
'file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2'
{noformat}
Yes, there are shortcoming, but I cannot reproduce the depicted case. Can
someone provide a test sample?
> Password masking on linux does not work
> ---
>
> Key: SCM-763
> URL: https://issues.apache.org/jira/browse/SCM-763
> Project: Maven SCM
> Issue Type: Bug
> Components: maven-scm-provider-svn
>Affects Versions: 1.9
> Environment: Jenkins 1.502 on a SLES11
>Reporter: Tobias Kalmes
>Priority: Major
>
> Passwords are not masked in the log output on Linux machines. The masking
> works as intended on Windows machines. On linux machines tho the password is
> printed in clear text. This seems to be a problem due to the additional
> single quotes that are added around the parameters on linux machines.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SCM-763) Password masking on linux does not work
[
https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16422655#comment-16422655
]
Michael Osipov commented on SCM-763:
For the record, it is also broken on Windows too:
{noformat}
PS D:\Entwicklung\Projekte\scm-svn-test-at-sign> mvn scm:list "-Dpassword=mumu
ab"
[INFO] Scanning for projects...
[INFO]
[INFO] < net.sf.michael-o.dirctxsrc:dircontextsource >-
[INFO] Building dircontextsource 2.1.1-SNAPSHOT
[INFO] [ jar ]-
[INFO]
[INFO] --- maven-scm-plugin:1.9.6-SNAPSHOT:list (default-cli) @
dircontextsource ---
[INFO] Executing: cmd.exe /X /C "svn --password * ab" --no-auth-cache
--non-interactive list --recursive
file:///D:/Entwicklung/svn-repos/scm-svn-test-at-sign/branches/toll2/."
[INFO] Working directory: C:\Users\mosipov\AppData\Local\Temp{noformat}
> Password masking on linux does not work
> ---
>
> Key: SCM-763
> URL: https://issues.apache.org/jira/browse/SCM-763
> Project: Maven SCM
> Issue Type: Bug
> Components: maven-scm-provider-svn
>Affects Versions: 1.9
> Environment: Jenkins 1.502 on a SLES11
>Reporter: Tobias Kalmes
>Priority: Major
>
> Passwords are not masked in the log output on Linux machines. The masking
> works as intended on Windows machines. On linux machines tho the password is
> printed in clear text. This seems to be a problem due to the additional
> single quotes that are added around the parameters on linux machines.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SCM-763) Password masking on linux does not work
[ https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16404715#comment-16404715 ] Weston Bustraan commented on SCM-763: - [~michael-o], you are correct, the regex does treat the ending double quote as part of the password in your example; you would probably need a more complex routine or regex to perfectly handle that. However, the string produced by the password masking isn't intended to actually be executed by the OS; it is just printed on stdout for the user to see. The goal is to prevent the password from being printed to the log output and I believe that it still accomplishes that goal better than the original implementation. > Password masking on linux does not work > --- > > Key: SCM-763 > URL: https://issues.apache.org/jira/browse/SCM-763 > Project: Maven SCM > Issue Type: Bug > Components: maven-scm-provider-svn >Affects Versions: 1.9 > Environment: Jenkins 1.502 on a SLES11 >Reporter: Tobias Kalmes >Priority: Major > > Passwords are not masked in the log output on Linux machines. The masking > works as intended on Windows machines. On linux machines tho the password is > printed in clear text. This seems to be a problem due to the additional > single quotes that are added around the parameters on linux machines. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SCM-763) Password masking on linux does not work
[
https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16403773#comment-16403773
]
Michael Osipov commented on SCM-763:
[~wbustraan], your improved version does not work:
{code:java}
public static void main(String[] args) {
Commandline cl = new Commandline(new CmdShell());
cl.setExecutable("svn");
cl.createArg().setValue("--password");
cl.createArg().setValue("mumu");
System.out.println(cl);
String clString = cl.toString();
final String mask = "'**'";
final Matcher matcher =
Pattern.compile("(--password\\S*?\\s+)('[^']+?'|\"[^\"]+?\"|\\S+)")
.matcher(clString);
final StringBuffer replaced = new StringBuffer();
while (matcher.find()) {
final String argPrefix = matcher.group(1);
matcher.appendReplacement(replaced, argPrefix + mask);
}
matcher.appendTail(replaced);
System.out.println(replaced.toString());
}
{code}
{noformat}
cmd.exe /X /C "svn --password mumu"
cmd.exe /X /C "svn --password '**'
{noformat}
> Password masking on linux does not work
> ---
>
> Key: SCM-763
> URL: https://issues.apache.org/jira/browse/SCM-763
> Project: Maven SCM
> Issue Type: Bug
> Components: maven-scm-provider-svn
>Affects Versions: 1.9
> Environment: Jenkins 1.502 on a SLES11
>Reporter: Tobias Kalmes
>Priority: Major
>
> Passwords are not masked in the log output on Linux machines. The masking
> works as intended on Windows machines. On linux machines tho the password is
> printed in clear text. This seems to be a problem due to the additional
> single quotes that are added around the parameters on linux machines.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SCM-763) Password masking on linux does not work
[
https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15876320#comment-15876320
]
Weston Bustraan commented on SCM-763:
-
This also occurs on Macs.
The culprit is actually
{{org.apache.maven.scm.provider.svn.svnexe.command.SvnCommandLineUtils.cryptPassword(Commandline)}}
It has a rather... naïve, to be polite, implementation of the password masking.
It only works if there is _exactly_ one space after {{--password}}. Any other
condition and the password is not masked.
So, if the command line string is this:
{code}svn --username myusername --password swordfish --no-auth-cache
--non-interactive --trust-server-cert info{code}
... the output is:
{code}svn --username myusername --password '*' --no-auth-cache
--non-interactive --trust-server-cert info{code}
However, it appears that, at some point, a change was made elsewhere that wraps
everything in quotes on *nix OSes:
{code}
'svn' '--username' 'myusername' '--password' 'swordfish' '--no-auth-cache'
'--non-interactive' '--trust-server-cert' 'info'
{code}
Now, since {{--password}} is followed immediately by a single quote, instead of
a single space, the mask is inserted but does not replace the actual password:
{code}'svn' '--username' 'myusername' '--password''*' 'swordfish'
'--no-auth-cache' '--non-interactive' '--trust-server-cert' 'info'{code}
Here is an improved version of {{cryptPassword}} using a regex in order to
handle more diverse input:
{code}
public static String cryptPassword( Commandline cl )
{
String clString = cl.toString();
final String mask = "'**'";
final Matcher matcher =
Pattern.compile("(--password\\S*?\\s+)('[^']+?'|\"[^\"]+?\"|\\S+)")
.matcher(clString);
final StringBuffer replaced = new StringBuffer();
while (matcher.find()) {
final String argPrefix = matcher.group(1);
matcher.appendReplacement(replaced, argPrefix + mask);
}
matcher.appendTail(replaced);
return replaced.toString();
}
{code}
> Password masking on linux does not work
> ---
>
> Key: SCM-763
> URL: https://issues.apache.org/jira/browse/SCM-763
> Project: Maven SCM
> Issue Type: Bug
> Components: maven-scm-provider-svn
>Affects Versions: 1.9
> Environment: Jenkins 1.502 on a SLES11
>Reporter: Tobias Kalmes
>
> Passwords are not masked in the log output on Linux machines. The masking
> works as intended on Windows machines. On linux machines tho the password is
> printed in clear text. This seems to be a problem due to the additional
> single quotes that are added around the parameters on linux machines.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
